Introducing HP DevInspect 5.0
HP DevInspect extends the reach of HP’s Application Lifecycle Optimization portfolio into product development. Combining our award-winning dynamic application scanning technology with static code analysis, HP DevInspect is the only tool available that performs true Hybrid Analysis – both white-box and black-box testing. HP DevInspect is seamlessly integrated with the Integrated Development Environment (IDE) – Visual Studio for .NET or Eclipse or RAD for Java – minimizing the training required to learn a new tool and eliminating any disruption of the development timeline. The release of HP DevInspect 5.0 further enhances Hybrid Analysis and increases development efficiencies with the following features:
Visual Studio 2008 Support
HP DevInspect for .Net now supports Microsoft Visual Studio 2008 and Visual Studio 2005. Businesses can now test for vulnerabilities with Hybrid Analysis regardless of the Visual Studio IDE preferred by their developers even in mixed environments.
Struts 1.x MVC support
Struts is one of the most popular java frameworks used for web application development. HP DevInspect for Java 5.0 fully supports integrated security testing within Eclipse or IBM RAD for applications using the Struts framework. Corporations using industry standard design practices can now take full advantage of the Hybrid Analysis inherent in HP DevInspect.
Hybrid Analysis
HP DevInspect is the only product to combine static analysis of all byte-code (both Java and MSIL) with dynamic black-box vulnerability scanning in one. The static analysis and dynamic scan engines have both been upgraded in HP DevInspect 5.0 to increase the accuracy, performance, and repeatability of our Hybrid Analysis. The time and money spent finding and fixing security vulnerabilities can now be dramatically decreased by equipping developers with an IDE with built-in Hybrid Analysis.
Vista Support
HP DevInspect for Java and HP DevInspect for .Net are now fully supported on Microsoft Vista. IT organizations looking to upgrade their existing desktop environments can transition their developers without risking their ability to perform Hybrid Analysis on their applications.
Ready for Download today!
Introducing HP QAInspect 5.0
HP QAInspect completes the third pillar of Application Lifecycle Optimization. Does it work? Does it perform? Is it secure? Built on the foundation of the award-winning application scanning technology in HP WebInspect, QAInspect enables quality professionals to fully manage the process of finding and fixing security defects early in the application lifecycle. This ability to manage security defect testing early in the application lifecycle mitigates risk in the application, saves money on revisions over the life of the application, and produces more holistic data for a Go/No Go decision. The upcoming release of HP QAInspect 5.0 extends the already robust integration with Quality Center with the following new features:
Defect Staging
New in QAInspect 5,0 is a staging area to vet vulnerabilities before they are added to the defect table within QC. Users can fully test and validate all vulnerabilities found by the scan to ensure that application developers are only spending development cycles fixing confirmed defects.
Defect Consolidation
Vulnerabilities found during a scan can now be viewed as a consolidated list, grouped by application page or defect type. For example, a user may view all vulnerabilities found on the login page of an application. Similarly, a user may view all Cross-Site Scripting vulnerabilities or all SQL Injection vulnerabilities grouped into a single pane. The ability to group vulnerabilities allows users to more quickly log specific defects and assign defect tasks to developers with greater accuracy.
Folder Restrictions
Restrict the crawl and audit of a scan to a particular folder. This allows much more granular control of the testing allowing for better targeted security testing. Once a particular application section has been audited and all security issues mitigated to an acceptible degree it can be moved to regression; focusing new security testing and fixes on new functional areas of the application.
Parameter Highlighting
As the size and complexity of web application pages grow the ability to quickly find a specific parameter within a vulnerable page becomes a greater burden. In order to eliminate the time wasted by developers searching a page for a particular vulnerability all defect reports now highlight the specific vulnerable parameter within the HTTP Request/Response pair. Developers can easily find the vulnerable part of the application and apply a fix with limited downtime.
Trial License Now Available (Click Here)
This release includes a trial license allowing Quality Center customers to download and evaluate QAInspect for 15 days; enabling them to make better purchase decisions. Talk to your sales representative for more details.
Hi everyone, we have just completed the new HP Application Security Resource Library. Your one stop shop for product datasheets, whitepapers and presentations. If you currently going to the downloads section on the Portal site for some of this information please update your links and use this new location instead.
If you haven't had the chance to read some of our whitepapers or presentations, take a moment to check it out, there are great articles on dealing with AJAX security issues, PCI Compliance as well as papers on SQL Injection and Cross Site Scripting (XSS). All together the new HP Application Security Resource Library might be one of the largest collections of application security focused documents available on the web.
We are also always looking for requests on what papers and articles you would like to see added, drop us a comment or two with your requests.
Thanks,
Erik
WebInspect 7.7 coming soon, so what's new? Great question!
What better way to let our customers know that HP is 100% commited to improving and delivering new functionality in WebInspect than to bring everyone a new release. This is our second WebInspect product update since getting aquired and there is a lot of things in this release that I think is going to make everyone very happy.
What's New
- Re-branding to HP
WebInspect has been re-branded to show that it is now a part of the HP Software family. I had the task to pick from all sorts of images to find the one for the splash screen, i'm not sure I found the right one so I plan on changing it in the next release. I'd like to give the WebInspect community the oppertunity to suggest what we put in there next release so drop me a comment with your ideas. - New Reports
A new False Positive report provides a list of the vulnerabilities that are currently marked as false positive. See “Improved False Positive Handling” below for more information. - Compliance Updates
Two new compliance templates will generate compliance reports based on OMB and OWASP Top 10 2007 requirements. The OMB template addresses major application security sections that were defined in December 2004 by the Office of Management and Budget (OMB) for Federal agency public websites. While the previous OWASP Top 10 list included a mix of vulnerabilities and attacks, the OWASP Top 10 2007 list focuses on vulnerabilities. - False Positive View
WebInspect now has a False Positive view that allows you to see the vulnerabilities and sessions that are currently marked as false positive. From the False Positive view, you can select a session or a vulnerability that you have determined is not a false positive and mark it as a vulnerability again. See “Improved False Positive Handling” below for more information. - Vulnerability Filtering
You can now filter vulnerabilities to prevent multiple parameters for the same session or multiple values sent for the same parameter from appearing multiple times in the site tree and reports. Vulnerability filtering consolidates the related vulnerabilities into a single vulnerability. The Vulnerability Filter is disabled by default, but can be configured on the Settings window under Audit Settings. - Enhanced Web Services Scans
WebInspect now supports the use of log-in scripts and a means of specifying parameter values for web services scans.
What’s Improved
Improved IPv6 Scanning
WebInspect now has improved recognition of IPv6 literal URLs and improved scanning of IPv6 sites. You can type an IPv6 literal URL into the scan wizard and WebInspect will validate the entry, parse the URL, and recognize IPv6 literal addresses in links on web pages. Additionally, Web Discovery handles IPv6 endpoints and range enumeration.
Improved SOAP Assessment
WebInspect can now assess web sites that use SOAP Version 1.2 to transmit SOAP messages. SOAP Editor modifications have been made to collect SOAP message values for WSDL scans. Additionally, several known issues involving the SOAP Editor and SOAP assessments have been resolved to generally improve overall SOAP assessments.
- Improved Status Communication to AMP
The WebInspect sensor now sends regular status updates to AMP. The updates are displayed as "Scanning X of Y; Duration:00:00:00:0000; Errors:0" in the Devices à Sensors view on the AMP Console. - Improved False Positive Handling
In the Vulnerabilities tab, you can select a session or a vulnerability that you believe to be false positive and send an immediate notification to HP support. If a vulnerability is selected, a list of all URLs that are vulnerable appear in the Mark as False Positive window. You can select all URLs or individual URLs to mark as false positive. You can also type a comment to send to HP support along with your false positive notification. I want to stress how cool this feature is because we have built a portal here at SPI/HP that we log into and can review this stuff. The reports you are sending us are being read by our SPI labs team to help guide the improvements and check changes they make on a daily basis. - Improved Support Channel Communication
After submitting a false positive notification to HP support, you will receive a pop-up message from SPI Monitor that includes a tracking number for the notification being sent.
That's it! We hope you enjoy it when it's released, look for it on SmartUpdate on the usual download locations sometime next week.
Quick update, there will be a minor update for all WebInspect users this week. Mainly lots of little fixes (like the broken SQL Injector start menu link, oops!) but one new feature: Deactivate License.
Ever since we introduced our new licensing system we have made it way too hard to move your copy of WebInspect from one machine to another requiring you to call our support guys if you wanted to move the license. The new deactivate license feature (found under application settings->license) allows you to deactivate your install (returning WebInspect to a unlicensed state) which then frees up your license to be used again wherever you want. Just use the same activation token you received from us when you bought WebInspect to reactivate your new installation.
For those of you who move your copy of WebInspect around a lot, this should be really handy. Just remember to deactivate before you re-image that machine and you can re-use the activation token again later.
If you have any questions, please post them here and I'll be quick to answer, thanks!
Hot on the heels of WebInspect 7.5 is HP QAInspect 4.0.1 for HP Quality Center (say that 5 times fast!)
New features include:
Quality Center 9.2 support
Crawl-Only feature
Windows Authentication for AMP
Ability to update license through a proxy
Contact your support represenatitive or our sales team today for more information. If you are an existing customer run SmartUpdate now to get the latest updates.
Download now from https://download.spidynamics.com/products/WebInspect/ or use SmartUpdate.
What's New
Pre-scan Profiler – WebInspect's new pre-scan Profiler analyzes the application and offers suggestions for changes to the scan settings to optimize your assessment. The Profiler can evaluate and recommend settings for authentication, proxies, files not found, allowed hosts, and much more.
The Profiler can be launched as a separate tool or configured in the Scan Wizard to automatically launch prior to the start of a scan.
Interactive Logout Notification – During an interactive mode scan, WebInspect notifies you when a logout has occurred, and displays a browser view of the page where the logout occurred, allowing you to login again.
Traffic Monitor – The Traffic Monitor allows you to view HTTP traffic in real time during a scan. The Traffic Monitor displays every request sent and response received by WebInspect in real time during the crawl and audit.
Enterprise Assessment – Enterprise Assessment provides you with a comprehensive overview of your Web presence from an enterprise network perspective. URLs and IP addresses can be entered individually, or WebInspect can discover all available servers within a range of IP addresses and ports that you specify.
Right-click SQL Injector – You can now launch the SQL Injector tool by right-clicking on a vulnerable session and selecting SQL Injector from the Tools menu.
Regex in Allowed Hosts – You can now use Regex in the Allowed Hosts list, so that if a host matches a Regex pattern entered, it will be allowed for crawl and audit.
Launch Interactive Mode from Web Macro Recorder – You can now configure the Web Macro Recorder to launch Interactive Mode as part of a Macro.
Restore Factory Defaults to Application Settings – You can now restore Application Settings to their factory default settings.
Launch SPI Proxy from WebInspect Scan Wizard – You can now launch SPI Proxy from the Configure Network Proxy window in the Web Site Assessment wizard.
Windows Vista Support - WebInspect 7.5 is now fully supported under windows Vista (Please note, support for 64 bit systems is still forthcoming)
What's Improved
AJAX Auditing – AJAX Web applications can create several opportunities for possible attack if the application is not designed with security in mind. Since AJAX Web applications exist on both the client and the server, they include the following security issues:
Create a larger attack surface with many more inputs to secure
Expose internal functions of the Web application server
Allow a client-side script to access third-party resources with no built-in security mechanisms
Improved AJAX auditing detects common AJAX frameworks that involve the following:
Function calls made in a client-side scripting language, such as JavaScript
Use of the XMLHttpRequest objects to make data requests without having to reload the page
Use of JavaScript Object Notation (JSON) format to transfer data between the server and client
Export Ability in Log Viewer – You can now export Audit, Crawl, Scanner, and StateRequestor logs from the Log Viewer tool.
Manage Scans Enhancement – You can now select and delete multiple scans in the Manage Scans window.
Export Scan Details Enhancement – The Export Scan Details window has been redesigned for improved usability.
| |
Now Available
The Next Generation of Web Application Scanning |
|
WebInspect 7.1 features Server Analyzer, a new advanced tool for pen-testers: Server Analyzer is a web server identification and discovery tool designed to quickly identify and understand the nature of a web server or web-enabled device. - Identifies popular web server software, web application software, embedded/web-enabled devices, and supporting network architecture components such as proxies and load balancers.
- Uses a special characteristic-based identification technology that is capable of deducing the server software type despite attempts to hide the server software's true identity.
- Improves server identification accuracy reduces false-positive identifications due to configuration obfuscation.
- Performs deep SSL SSL analysis on HTTPS sites, showing various information related to the server's SSL configuration.
| 
| 
|
|
The following additional WebInspect 7.1 enhancements were designed to further simplify and speed up the installation and assessment processes. - New simple scan enabling users to conduct a comprehensive scan by entering only the URL, user name and password.
- Faster scans through redundant page detection.
- Simplified installation process by removing the dependency on SQL Server Express.
- Enhanced Quality Center integration. Send defects directly to QC from WebInspect's site tree or vulnerability pane.
|
|
Already a Customer? |
If you are already a WebInspect 7.0 customer and need to upgrade, please run WebInspect and click on the SmartUpdate icon at the bottom of your screen. If you would like to download the installer, please click here. | 
|
|
Join the SPI Community
Blogs, Forums, Downloads and more
|
We released last Friday (3/30/07) a service pack to DevInspect for Java to fix some critical installation issues that were causing customers a lot of pains in their installation process when trying to evaluate the Java product. They were minor issues, but were popping up a lot, so we decided we needed to get them fixed as soon as possible to smooth the evaluation process. We also included a new and improved QuickStart guide with more detailed instructions on getting started. The getting started information is also available as an Eclipse “cheat sheet” within the software, so users will see a guided tutorial that helps them get licenses and scanning after installation.
This version of the DevInspect for Java product is 3.0.1.0, but is functionally identical to the 3.0.0 version. The DevInspect 3.0.1.0 for Java version contains the following:
- Fixed an issue with the DevInspect 3.0.0 installation package that in some instances failed to recognize that the required Windows Installer version was present on the installation target.
- Fixed an issue with the DevInspect 3.0.0 installation package that failed to recognize that the .NET Framework 2.0 was present when .NET Framework 3.0 had been installed.
- Enhancements to the QuickStart and User Guide documentation to help users get started with configuring and using DevInspect.
- Introduction of an Eclipse “cheat sheet” that walks the user through the steps to get started with DevInspect. The cheat sheet will appear upon initial startup of the standalone version of DevInspect. In other versions, or after closing the cheat sheet, you can open it by opening Window…Show View…Other and selecting the Cheat Sheets view.
Since these items are in response to installation and ease-of-use issues, if a customer is up and running, they do not need to pick up this service pack. For those that need the service pack to address installer issues, it is distributed in two ways:
A new installation program is available at:
https://download.spidynamics.com/products/DevInspect/Java/DevInspectJavaSetup.exeExisting users can update to this version through the Eclipse Update Manager. To check for DevInspect feature updates, or if you have received notification from SPI Dynamics that a new release is available, follow these steps. Go to Help…Software Updates…Manage Configuration. In the Product Configuration dialog, locate and select DevInspect for Java. In the right-hand pane, select Scan for Updates. If updates are found, follow the on-screen instructions to upgrade to the latest version of DevInspect.
Finally, for those that just need the new and improved QuickStart information, you can get that document here:
https://download.spidynamics.com/products/DevInspect/Java/DevInspectJavaQuickStart.pdf
Hot on the heels of our 7.0 release on Feb 14th, i'm happy to announce that our next WebInspect update release, version 7.0.286.3, is now available via SmartUpdate and download. This update delivers close to 250 issues and minor enhancements to the new WebInspect 7 platform. If you haven't already downloaded it, please check it out now by hitting SmartUpdate.
We have also already started on the next update release as part of our new rapid release strategy, expect to see a steady stream of continuous updates throughout the year all made possible by our new Phoenix architecture. If you are looking for a new feature or have a particular annoyance you would love to see us address let us know by heading over to our WebInspect product forums and letting us know. For those of you who are customers and haven't already done so, make sure you have activated your portal account for full customer access and to gain access to the product support forums as well by sending an e-mail to portal@spidynamics.com.
SPI Dynamics’ products and services have been nominated for several Info Security Products Guide Global Product Excellence Awards!
We encourage you to vote for your favorite SPI Dynamics’ product
and services today. Voting begins March 8th 00:01AM (PST) and ends
March 28th 11:59PM (PST).
Vote now on the following SPI Dynamics products services
- Excellence in Application Security – WebInspect™ 7
- Excellence in Auditing – WebInspect™ 7
- Excellence in Security Audit - WebInspect™ 7
- Excellence in Vulnerability Assessment - WebInspect™ 7
- Excellence in Application Security Management – Assessment Management Platform® (AMP) 2.5
- Excellence in Large Enterprise Security Solution - Assessment Management Platform® (AMP) 2.5
- Excellence in Security Testing – QAInspect® 3.0
- Excellence in Vulnerability Remediation - DevInspect® 3.0
- Excellence in Managed Security Service – WebInspect™ Direct
- Excellence in Professional Security Training - Educational Services and Free Secure Software Workshops
I'm experimenting with Feedburner and considering using it for all the blogs on SPI Portal. I've moved the RSS and ATOM feeds for this blog over to FeedBurner to see how it all works out. If you have subscribed to this blog, now would be a good time to change the link to
BTW, If you have had bad experience with FeedBurner, I'd like to know so feel free to drop me a comment or two before I move all of SPI Portal over ;)
It is with awesome excitement that I announce that WebInspect 7 is now available for download. For those who want to beat the rush, please visit https://download.spidynamics.com/products/webinspect/ for install and download instructions.
Please note, if you are an existing customer, you will require a new license key which you should receive later today around 2:00, I recommend you beat the download rush, start your downloads now and go to lunch, by the time you get back your license should be waiting for you.
If however 3:00 rolls around and you haven't received it, check your SPAM filter and then call our support team, they will be happy to help.
I'd like to hear some of the first reactions to the new release, please let me know what your first impressions are by commenting here.
Enjoy!
-Erik
I'm heading out this week to make the yearly security pilgrimage to RSA where lots of SPI Dynamics folks will be presenting WebInspect 7, speaking and having fun. For many of you this will be your first chance to see the new WebInspect 7 powered by our new Phoenix architecture up close. Stop by booth Booth #505 where we will be giving out cool Phoenix T-Shirts and providing demos. I'll certainly be in the booth as well helping out, answering your questions and listening for cool ideas for future releases.
On Wed. night we also have big plans with our WebInspect 7 Launch party (learn more and RSVP here) at the W hotel in San Francisco. I hope to see many of you all there.
So what's new in WebInspect 7 and what is Phoenix?
WebInspect 7 is a total re-architecture of the product and represents about 3 years of work. It was a huge undertaking, but something we realized several years back had to be done. Why? If you look at the web application scanning market today you see a lot of products, most of which got their start around 1999 and pretty much everything since has followed the same pattern - 1) Crawl 2) Audit 3) Report. This process works great for the web of 1999 but what about today? Imagine trying to apply this same process to an assessment of a desktop application, it clearly doesn't apply and with web applications looking a lot more like desktop applications these days, it doesn't apply to the web very much either. We had to rethink the very foundations of our scanner and we gave this project a codename: Phoenix.
The Phoenix Architecture
Phoenix is much more than a set of technologies for WebInspect, it's going to be the foundation for all of our products. DevInspect, released in 2005 was the first product from SPI to be based on Phoenix and allowed us to deliver the first assessment product to perform both source code and balckbox testing simultaneously in a single product (what SPI calls Hybrid Analysis). But there was so much more we wanted to do, for starters we knew we needed a new way to analyze web applications and the old legacy 1) Crawl 2) Audit 3) Report process had to go. So with WebInspect 7 we introduce a first for our industry Simultaneous Crawl and Audit (SCA). SCA takes all of the old assumptions for testing web sites and turns them on their head. The moment a session is found we go to work and don't wait around to do the audit work later. A session is what we call a request/response pair and as WebInspect assesses your web site it maps out the sessions across your site and points out vulnerabilities immediately (just don't call sessions pages, web pages are soooooo 1999 and they can be much more than that). In addition to SCA we also built an entirely new state management engine that tracks the progress of your assessment and if WebInspect gets logged out or disconnected from the web site, it transparently takes care of pausing the scan and reconnecting when things get into trouble. Additionally if the scan encounters authentications schemes that can't be automated like two factor or CAPTCHA it will pause the scan and ask for input.
Immediate Results
Because everything is running all out, all at once, results start to pour in fast the moment you fire up the assessment. If you fulfill your vulnerability quota in the first 5 minutes, go ahead a start a report. Notice I didn't say stop the scan, that's because you don't need to stop the scan to run a report. What if you want to kick off an second scan using multiple user ID's to check for privilege escalation vulnerabilities or scan a complete different site at the same time to get ahead on your work load? You can do all of that at the same time within WebInspect 7.
New Features
I could most likely talk for days on every new feature, here are some of the highlights. Please drop a comment on this blog if you have questions or would like me to go into details on any of them:
- Simultaneous Crawl and Audit (SCA) - The crawl and audit happen together as part of one fluid process that provides immediate results within seconds of starting a scan
- Advanced Authentication Management - Manage state dynamically, detect and prompt for two factor and CAPTCHA
- Simultaneous scanning - Run more than one scan at the same time
- SQL Server storage - All Scan data is stored in SQL server for high performance, high capacity scans
- Enhanced SPI Toolkit - All the tools have received updates to improve their reach and capabilities
- SupportChannel - Send questions, issues and enhancement reports direct to SPI from within the product
- Advanced Step Mode - Run testing steps through WebInspect, recording everything and providing automated testing while you perform manual testing
- IPv6 Support - Support future Internet architectures build on IPv6 networks
- Tabbed Interface - Open multiple reports, scans and activities all within a simple, easy to navigate interface
Get Ready for the Upgrade
WebInspect 7 will be made available to all current SPI Dynamics customers, but this time we will be doing a lot of things differently. On release you will get a notice via SmartUpdate asking you if you want to install the new version. The upgrade will not be required and you can keep on using 6.2 until you decide you want to upgrade but when you do decide the WebInspect 7 install will not replace WebInspect 6.2. You can run both side by side if you want, and both will continue to receive SmartUpdates! Before you choose to upgrade however you are going to want to follow the next few steps:
First make sure your system is ready, here are the new pre-requisites
- .NET 2.0 Framework (you should NOT uninstall .NET 1.1 if you have any .NET 1.1 applications you want to keep running, like WebInspect 6.2!)
- Microsoft SQL Server Express SP1 or Microsoft SQL Server (feel free to run that 20 GB scan, if you have the disk space, we've got the time)
You can get both of these components here (http://msdn.microsoft.com/vstudio/express/sql/download/)
Second there are some things we couldn't support anymore, if you are running Windows 2000, have less than 512 MB of RAM or less than 1.5 GHz CPU, it's time to upgrade.
What to expect between now and release day
WebInspect 7 is truly a different product, so you will need to get a new license as well. SPI is going to be sending out new licenses to all existing companies in advance of release day. If for some reason you don't receive your's (perhaps we had the wrong e-mail or your SPAM filter blocked it) have no fear, just send your existing WebInspect license to support@spidynamics.com and request a new license, we will have you up and running in no time.
When is release day?
February 14th 2007, keep on eye on this blog for possible early release information!
Just in time for the holiday shopping season (who doesn't want a copy of WebInspect in their stocking on December 25th?) it's WebInspect 6.2.155! This latest update adds additional capabilities to the SQL and
XSS Intelligent Engines and improves the stability and accuracy of the
product overall and is now available to those in the know for early download here (Portal account required). All customers a recommended to upgrade as soon as
possible. We will be releasing this update via SmartUpdate tomorrow around 10:00 AM EDT if you prefer to get your updates pushed to you automatically.
If you have any questions or comments for SPI and the WebInspect team, sound off and let us know in the SPI Portal Forums.